 Unfortunately, that probably sometimes means vengeance. It means working on different projects that really don't see any benefit of that talent. So, yeah, we end up with these things that are really hidden, these close and potentially distributed code platform systems that we're working on. And really, you know, when we see it in government, you know, the traditional practices that are very, very binary thing that we see in government hotels. And really what we want to start to really think about is how we can add a few more colors in our option. So we can have this kind of continuum of, you know, in a source becoming that key capability for that key piece for us to get better new ones in the organization. So, you know, in a source it's really, you know, those open source practices behind the firewall. And what we started to really look at are around those areas of improving discovery, improving collaboration, and the transparency. So for us, you know, it is really starting to rethink about how we do engineering practices inside the organization. So a little bit about our road to inner source. So we really started to think about what our core principles would be. So much of the work that we've done is standing on the rest of the community around the inner source commons. And, you know, the open source community as a whole. So much of that was really starting to think about those core principles that we looked at. The openness, you know, being able to discover code internally and the documentation of models that follow us. The transparency, the being able to look across the organization, following these practices, you know, as open source practitioners would probably be very, very friendly with. And the collaborative, which typically hasn't been done in teams of working very, very solid in their organizations. But this is a way of starting to really rethink. But also change how we engage, how we start to do mentors, how we start to do learning, how we start to really bring that network effect into play to really think of how we scale this more importantly. So, you know, what we really started to think about are these core foundations for us in the source journey. That really started with the platform. And last year, we started on a journey of taking, you know, moving towards the central source code platform. And, you know, along with that, really, the practices of the people in any kind of transformation journey, we see that there's three pieces that come in there. The practices, establishing guidelines, working off what we started to see in the industry, as well as the commons as a really critical part. There's so much great work to be done out there. We didn't want to necessarily reinvent the wheel. We wanted to be able to get to, you know, change faster by leveraging what's been done already. People as well, I think we, you know, we start to see that engagement across the organization is such an important part, raising awareness. All of these things that, you know, we thought would have been a little bit more obvious, but interesting, and I'll share a little bit later, the lessons learned as we go through and all of this, we do a few assumptions that I made a mistake on, but it was a really good learning journey to understand. So last year, we had begun this journey. We've migrated, you know, what was a fairly disparate platform from the big buckets, keep that up to the world, into a central managed repository, which really started our journey and enabled that platform. And, you know, that was a bit of a bottleneck as well, because I think they're not going to, like, factor it under the attack. So my great, very large set of repositories were probably halfway through and we probably discovered probably about, you know, just under 10-dounds of code across the organization through their journey. So it's a bit of a challenge, and that's what it's done, at least through our options. And from what we did do very early on before the platform was ready, it was really established this community practice, what we call the Unisource Working Group inside the organization. We call it a number of different divisions. And, okay, to really establish this group that we could start to, you know, set up communications channels, monthly sync-ups, and as well as at least finding repositories and we could start to work on to build out the families. And interestingly, the leadership was actually very, very supportive of the whole thing. So, and I'm going to go into a little bit of detail about why we've done other challenges. But, you know, going off some of the other pieces, we started to frame these sorts of three stages, and this builds up the comments in terms of maturity models and things about, you know, these stages of Unisource adoption. I think the obvious piece is, yes, you know, at level zero, we've got closed source code. And that's the default assumption for most of the organization. Now, moving up to the next level, we've got source, being able to really see all that code that's available. And then going on to really setting contributions, or, and then going on to something that is potentially community-oriented. And so that's where we started to really frame about not only how we think about Unisource coming into the organization, but also how we start to report success. But there was a really interesting sort of quote that came about in our adoption of open source. So, when we first started off there, you know, you know, if we're familiar with open source, its commission was. But inside an organization which is fairly structured, I found things that were engaging, were coming and knocking on the door and saying, oh, do we need to get the commission from you guys to Unisource these projects? And, you know, perhaps a blind spot on my part in thinking that, oh, okay, anyone who's just going to do it, just open up your project in the terminal, adopt some of these practices and you could go. But it actually meant we had to spell it. We had to be very, very clear to say, okay, go and do what you're doing. And this is where we started to really frame it into two different models. Yeah, much like the wider community, we have this kind of model where, you know, there is this self-initiated open source, or Unisource in this case, the teams can do it in what we call a project-initiated manner. Yeah, they own Unisource in code, they release it out there, and it supports the probably the two layers of that triangle at the bottom to say that kind of readable source or yes, contributions because it's owned by the team. We then step across the community side, which is very much like we see with a lot of the Unisource conditions, where this project may be donated centrally or managed centrally. All of those sorts of things that we see as these things that are generally utility was things that may be sort of bigger than an individual project team. And so that's a kind of multi-model model, those sorts of things. And what we will now start to really think about is, well, you know, if a project does want to be donated centrally, what are the sorts of criteria that will be accepted? Much like an open source foundation, you know, those foundations and all of those sorts of things about, you know, what are these sort of acceptance criteria as well as the ongoing expectations for those sorts of things. You know, when people are throwing a repository to the wall and it's a dedicated game of course. You know, that's not necessarily always bad, but we just need to be cognizant that these things probably should have some share of the income. And so as part of all of this, we started to really sit down with the working group and develop some practice guidelines. Now, we didn't want this to be, you know, the typical problem, and they just say, you know, now I must do this and then I must follow these sorts of things. We want them to be somewhat organic. And so we came out to really align around those principles around these three core areas. And these are these sort of fairly, you know, lower areas they sort of have that we start to see around standard documentation that we need and contributing markdown documents. So, you know, there's a variety of things which you can turn on this, such as any of that. As well as, you know, licensing. And I'll go a little bit more into how we went about creating an inner-source license inside the organization. The other pieces, and this was interesting that, you know, the kind of merge and pull request codes that never really existed inside the organization, which were by extent. So we also, they had to go along the way and explain why merge requests and pull requests were such an important part. How we go about doing that. Traditional change, change advisory boards in enterprise organizations to something that gives us a better time to market, as well as better confidence. The reality is we're a somewhat low trust organization. Or at least we have to have confidence to code that we're putting into our systems because our citizen data is actually, you know, gated and verified. But that actually aligns very nicely with the kind of open-source practices too. Issue trackers, now I think there's always kind of a piece about, you know, enterprise organization. We've probably got some JIRA here. There's a platform inside over there. And really setting their expectation that, you know, a lot of teams will still maintain and do that. A lot of people really love JIRA for some reason. But at the same time, you know, there is, you know, we need to have something that is accessible and it's actually visible for those teams who do want to contribute and learn about things. And that's where we start to see labeling and licensing, sorry, labeling and ticketing practices that we can start to enable collaboration and scale. As well as the kind of decision-making processes coming and thinking about documentation as code, architecture decision records, design documents that get placed in the code repositories. Very, very fundamental shift to how we operate in government. Probably very fundamentally different to how we operate in enterprises operate in some cases too. And that became not just about saying, yeah, everyone go and do open-source and you've got to do it. And that will kind of bring the organization on to this as well. And finally, that kind of piece of that. Well, we have actually team roles, we have team structures. These are very, very important things to think about. And so, you know, I think we're probably fairly familiar with the types of roles that we see in the open-source community, both from computers to code reviews and maintenance. You know, these are the sorts of things that we're now starting to formalize in roles that people can come on board, and that one is just, you know, an ongoing piece as we start to see how these sorts of things. I mean, I think government likes to have formal roles in things, we're trying to avoid that kind of delegation of control, but it's certainly something that encouraged from operation. So an important part, because, you know, the government, while it looks like a single entity is not that each agency is, you know, its own legal entity, it's also a very wide set of different teams and also vendors as well. Legal department and work through what we call the Galtech public's license. Now that one is something specific to Galtech or collaboration is based on you know, permission, you know, sort of permissive licenses, basically MIT with a few extensions. And that really started to talk about our expectations of use of code, both by other agencies as well as vendors, as well as what happens when contributions are contributed back and who won't. And that sort of set the expectation to be a bit of a cover for those teams who are starting to open source their projects. In my, you know, common practice putting iso-tile in the repository, potentially putting it in source code files, you know, is the way we've gone about doing those sorts of things. So that was just a bit of a kind of a hygiene piece, but an important part to really get confidence as we started to roll it out. Now, you know, measurement is always a critical part. It's really quite interesting. We started off this journey in management. It was like, yes, we love the idea of going through it. But then, you know, the next question is always how do you measure it? Now this was not something that was necessarily funded. This is something that a group of us started after working community. We've worked with now source code management platform to get resources available to start to do that. But at the end of the day we still want to be able to know if we're doing a good job or things are improving. So we really started to think about what are really these core-facing tricks that we can start on. What's the easiest thing to get started? And obviously, the most obvious is kind of project visibility, knowing if it's internal or if it's closed. That's that kind of binary piece we want to start to see how we can get more nuance in there as we go forward. Best practice was another piece that we wanted to say, yeah, we have an automated script tool that will actually go on and look at a project and see, have you put in a review, have you put in a licensing file and then give you a bit of a program. And the kind of next jump is to say, well, let's also make it an easier or a greater pool of advice to give you those files if you're lacking them as well. So this is not just about the measurement, but also the enablement as well. And then finally kind of these three stages of adoption which we're getting to next, as I should do that kind of the triangle. We want to see not just the breadth of how many people are starting to use in the source, but also how many are starting to contribute how many are starting to have multiple maintenance or contributors as well. So still a very basic metric and that's the thing that we're starting from. Next once we get a bit more volume we can really start to get more nuance but because practice is still basic, we wanted to really get things moving first and then we start to report. But even though we're telling it to really kind of crunch the numbers for project disability, probably not as fast as we were expecting because we got some aging in there but at least the numbers are starting to show where we can really start to think about improvement. So inside of GoTek you know, we've actually gone working groups obviously, including everything that we do. A lot of our internal platforms, CICD, our cloud platforms are starting to in the source or the code that we can. Things like how do we provision accounts in all of these CSP's? How do we start to maybe monitor IDC? All of this kind of stuff. But the other kind of bigger discussion is in fact how do we change things for the organization. Now, as much as this we don't necessarily want to make it a mandate having open source by default we want to change it as we can. And so that's a way we're really starting now to discuss with management. You know, is this something with GoTek? Is this something that potentially can roll out to the rest of the organization as well? And so a few of the lessons learned I touched a little bit on that. Having code platforms available on RAIN is such a big part. Migration is really actually kind of that. So, you know, although we can do in a source across a gamut of different projects it really changes the model. Having central code platform means we can have that network effect rather than jumping back and forth. And so at least it's an starting point that really is the problem in the source portal and getting agreement for each of the project teams to share their resources or share in the source project. So that gives us a little bit of a sense of visibility piece. But not necessarily something critical. You know, see if the community is always such an important part. You know, I think under Minnesota it doesn't necessarily need to go down the brown bags or sharing with all of the different software engineering communities across the organization to raise awareness as a start. Commission is not required, as I said. We didn't want to be the assumption that everyone needed permission to do in a source. It needs to be permissionless. But we also needed to make sure that was the community that documented. Because the assumption was the other way around. Everyone needed to not go and say, please, please, don't do it. And really finding the right allies and supporters. That was the other piece. Getting leadership support was easy. Because we presented pretty much what was the start of this day. And I said, yes, don't do it. Talking to the developers, I think everyone was probably tight on the deal with the source. And, you know, as part of that they were kind of, yeah, we're supported by the middle management as a challenge. As it is in so many big organizations finding time, finding resources that, you know, the developers then can go and work on these sorts of projects in any important way. And so I actually meant going down and helping those teams, helping and convincing them that there is actually benefit on those sorts of things. So I actually meant in this kind of organization to go around and do a lot of manual work. And so finally, you know, starting off on your own journey, I mean, we established a community of practice. The guidance and patterns that came out of the Commons was such a great resource. And I'm hoping that we can contribute some fat in the future. As well as really starting small, you know, big bang government likes to do a big bang, kind of trying to solve everything at the end of the day. Like most initiatives, it takes time to really grow and start. So with that, I would like to say thank you very much. If you on the other hand are interested in coming to join us on this journey, we're hiring, but, you know, come and join our working group, come and help us thrive in the source across the open organization too. So thank you very much. So there's a bit of a jam in the schedule to be seeking this out in the e-sport right now. However, Mike, are you in the room? I don't think so, I'm in the room anyway. So questions, if there's one here? Oh, here, sorry. So the British government did a very radical thing, the item service decided to put on the public income including the road maps. So is that a step on how to bridge inner sources a step on how to break in the source with open source because when we're absorbing open source internally, is there a way to contribute back and create that process? Because probably it's other government agencies that can start to collaborate and use this sort of work. So I mean, I think for us, internally we solve the government agencies across Singapore. But there's a wider question, and how do we bring this community across, you know, more globally than the public sector and we have thought about that. I mean, ideally, if we could go open source for everything, we would be going that route. In a source, you know, it's kind of like the intermediary piece, but not everything can be released. And we still want to be able to get them. But I think as we go forward, at least on that previous diagram that I had, we're trying to push everything to the right, you know, open source as much as we can. Now, most of that is sort of teaching open source where open source in line is and projects. But I think as we go forward, and so I would like to see more of that. But it involves trust, I think, in some way. So I'm trying to get a new organization to start to say, you know, let's go and open source more. Let's go on the route. All right, just ask again, is my global plan in the room? OK, I've given the government a happy lap through an A. However, we are mobile tracks. So if anyone is looking to shift to other tracks, now is the right time. If not, you'll carry on. Sorry, I think I didn't notice. Who are the questions? I'm going to start with a little bit of a response. And then the second is, how do you get my team from the team? Who you want to open up their code to us? That requires an additional answer on their side, but it's not the beneficiary of that. I don't think that's a good question. Why do you think it costs a lot more than that? Sure, yes, I mean, the question was, how do we get YM across different teams? And I think that is a big piece. And a funded working group, to drive this thing, we can only go a certain way. A lot of my time I spent on being indoors and then working with the development teams as well as managers to convince them to go in a source. But I think the next stage is really to say, when we can start to demonstrate some more value, get a few more numbers to show that this is actually something we want to continue working on, can we get funded? Can we get a core team effectively in the source, common pattern level of a team that will actually be helping teams not just about awareness, but in fact, opening up their code, providing the resources to either open it up as is, and maintain it's actually ongoing as well. Or to sort of carve out a piece of a library that you can expect to that for the central team. So, that's the next step. We kind of need to prove it to get there and to ask for money and hire the right people. But I mean, if things go well, that's the intention. We've got a few over there. I think we'd rather take one more. Why not, yeah, one more? Yes, sir, could you share a little bit of the implications why, you know, management was so resistant and how do you track the people and not show them that it was a good one? Sure, yeah, so I didn't, you know, getting a bit more of an understanding of the question was about, you know, little management and understanding why there was so resistance to that. Really, it was, it was not a resistance to the concept. It was resistance that they had existing projects which backlog they needed to deliver and they had funding that they needed to address. You know, sharing money becomes the kind of the bigger piece as I'm sure a lot of organizations face as well. Budget, if we're spending it to do something for the white community, what is the trade-offs? And so it really needed to sit down and look at the truth. I think conceptually they understood but it really was about how do we make it easy? So we needed to come on our side and that's why we wrote scripts to help at least report on best practices and now the next step on how we actually would have made it become, how do we produce fiction for those sorts of things, documentation and the other part. But really sitting down was the only way that we could really do it and to talk through their concerns to understand it more. And they're all really supportive. It's just everyone's got to make any things to do and I'll put them in the balance. No easy solution for that. Yeah, next one. Thank you so much. This is a quick link on other questions. Both the room and to keep those watching by streaming, there's a lot of questions there. Four questions. Please put them in the two of them room so that you can live in the positive community telegram group. There's a group called Training 2.1 for security from a blockchain, et cetera. So I do is any questions that you have for us now, please ask them in the channel and perhaps spread it in the tower so to... Let me see if I can jump in. And respond. What next speaker? So we're breaking and we're about another 20 minutes. Hopefully some speaker will be there. But we expect the next speaker at 10.40. Thank you and we'll speak to you later. I'm a little depressed by my part. So if I could ask the... This is going to sit there for about a time or a little bit, but very good. We'll start in a very good start. Sadly, we've lost a little bit of a week. We're at 10 minutes and we'll do our own review again. And we're going to talk about the needs of the mic. Especially in the next one. We're going to talk about who's got the mic. Can you hear me fine at the back? Yeah, but the guys there, we're speaking. Oh, okay. All right. So I'm used to do this one without the mic. So welcome to South Asia. We're speaking. People who are watching need to come on and give you a message. Okay, all right. So first things first. Now, I will be sharing this. This is like tech to you and then I will not be, you know, dwelling so much time again for the sake of the timing. So there are, you know, the reason being I, we have the pause and we are hearing this. I've been using pause since 2002. Okay. So the reason being that many people doesn't understand the heart and so the force pre and often so software. For me, it's just one thing. The power is given back to the user. Okay. The power is given back to the user. Think about it. Raspberry, whatever you can do. Okay. So, where does that happen? Okay, I wouldn't tell so much of this, but if you see MQTT, probably you're already using this one in your IOPs. Okay. So solutions, there's a lot of solutions actually. All right. So my time is up. If you could just look in your cell phone and, you know, if you could tell us if it's something odd running or any Wi-Fi that is something, you know, it's not supposed to be there. So when you're running, you know, since earlier about this, and actually, you know, if we will run this quite a while, like, you know, just even five to 10 minutes, you will even see that there are running, you know, in malware or run code or, you know, malicious or virus, something like that, if you just run it. Okay. Now, we just spot the difference that it's not supposed to be there or in your cell phone. Is there anything that is running? What? I'm automatically reconnecting to iPhone network. Oh, iPhone network? Okay. Is there anything other than that? You said it was like hello, I guess. Oh, no. No. Oh, no. Are you seeing the position? Oh, yeah. Oh, we're still, okay, position. Yeah. So that is something, you know, I, but I don't worry. I have not weaponized it. I, you know, I am still okay with my life. I, you know, it's hard to live inside, you know, with the bars, right? So I'm still okay with that. But imagine this. You are in the airport, right? You just wanted to, you know, to have a free wifi and then you connect to your, to your, to your parking or whatever, you bought by something online and somebody has set up a road wifi or even clean, whatever they call it, money, the middle attack, okay? This is also applicable in the ICS Scala. When was the last time you audited your wifi? When? Usually, you just focus on land, defensive death, whatever, firewall, you know, millions of dollars, you know, tools that you have, but you know, seldom people auditor, okay, or service community defenders like us or practitioners that they audit the wifi. So. All good? Yeah, very fine. Okay, okay. There's a, all right. Thank you, Mike. This is a, I should say, a very good question. Thank you. And I don't know what we do about the language of the root numbers. It's terrifying for us to do that. It's an invitation, the things that we want. So Q&A, like, if you'd like to ask questions, please, here's the training to one topic in the positive community program chat. And Mike, would you mind going to the next event? Perhaps following, responding there. I think we should talk about how else we might get the talk done before we could. So, there's a really easy set of ideas here that we just have to stuff down. The next two speakers, hopefully, soon it's a fun, you guys, excellent, please come and sit up. And yes, I felt for that, you will need to correct it up, just to catch the screen, so it reaches the, it's been 15 minutes in a row. So, it's underrated at the University of Toronto School of Engineering and is a research provider for the innovation. Okay, that's all good. And you want to focus up higher, too. So, long overdue, too, we're hoping to get rid of these kinds of obstacles. So, it's a really important thing to do. So, good morning, Singapore. And I'm from Singapore. First of all, I'd like to thank my professor. I just came here to talk to him, because I can't do all the assumptions. Because of that, I'm a professor. So, I'm Suri, and I'm a researcher at the University of Toronto Sciences and Sciences at the University of Toronto School of Engineering. And I have Sahant with me, and he's also a researcher at COTSDAB as well as a researcher at the AIT. So, today let's talk about Fighter II, the future of authentication. Now, as you already know, passwords are not safe anymore. If you ask me why, I'll just... All good? Sir, just to give you a thing. Not there, here. Okay, sure. There it is. That's it. Thanks. So, let me start over. So, as you know, passwords are not safe already. If you ask me why 52% of the users use the same password for multiple accounts in their day-to-day lives. Now, this leads to many kinds of attacks such as pre-attacks, boot-frozing, and even pretension-stuffing attacks. You can see how the simple and predictable passwords can lead to vulnerable decisions. If you want to figure out if your password has been compromised, you can use this website. Have I been phoned? And check whether it has already been phoned or not. So, as a solution for these simple passwords, we have something called MFA, Manufacturer Authentication. This basically refers to having two or more verification steps in order to gain access to certain kinds of applications. Now, in an MFA, we have many kinds of MFA types available in the world. So, these three things are the most common styles. The first one is knowledge-based, things you know, such as P-number, CPP questions and stuff. And then, possession-based, something you have, such as MSLTP and TOTP. And then the final one is inheritance-based, things you are, such as your biometrics, fingerprints, your breath, your eyes. Now, let's talk about FIDAR. FIDAR stands for Fast Identity Online. And that's kind of a combination of all these three types I mentioned earlier. FIDAR refers to setup open and standardized authentication protocols that is ultimately intended to eliminate passwords, which is very vulnerable and outdated in a security perspective. So, if FIDAR is two authentication standards, it basically is an umbrella term for these two protocols. The first one is the FIDAR line specification for CETA. CETA means the client-authenticator protocol. And then the second one is the W3C's Web Authent Protocol. Now, I'll explain this on the later slides. So, FIDAR comes up with these two combination of these three protocols. And then you have FIDAR. So, this is how actually FIDAR works. Now, you have the Web Authenticator and CETA protocols side by side. Now, first of all, you have the client platform. This basically refers to your laptop or your PC and everything. And then we have something called an Authenticator. The Authenticator can be external or maybe internal. So, an internal authenticator might be your touch ID on your iPad or MacBook. An external authenticator can be something external that you have that you have to plug into your computer. So, the CETA protocol works in between the Authenticator and the client platform. It will be used to communicate between those two platforms using VLE or NFC or Bluetooth or even maybe just. Now, Web Authent Protocol you can use that to communicate between your client platform and the relying part. For the relying part, it basically refers to some kind of an authentication on the cloud or your network. So, the CETA protocol will communicate between those two and complete your authentication request. So, this is an in-detail flow of how FIDO works since we don't have much time today and I'm not going to explain it. But you can grab a big photo of this one or maybe I'm available around for another few hours. So, you can just grab it and ask me and I'll have it explained on this one. So, like I said, we have external authenticators and internal authenticators. And even windows hello. And external authenticators, we can have security things like UV keys to put your finger frames and authenticate stuff like that. So, ultimately, why FIDO? Why should we use FIDO instead of passwords and all this stuff? So, first of all, FIDO is stronger. It's resistant to all these attacks on the simple password dimensionality. And it's faster all we have to do is put your finger frame and you are good to go. And then it's private. And it's convenient, very convenient. You have to just use your biometrics to access all the social media platforms and everything. And it's supported on very many browsers and new softwares, this integration. And then it fits most of the new cases available to this world. And then it's industry-backed and obviously most of the organizations are moving on to this kind of FIDO2 biometrics authentication protocols. And then it's already in the market in the even context. So, how can we integrate this FIDO2 into our existing application? Samadhi is here to show you how to integrate this FIDO2 with real-world applications. Thanks. So, as Suwin said, the last two points. FIDO2 is industry-backed and in markets. So, let me cover it up with some practical examples. FIDO2 procedure, how FIDO2 is using in Azure. Any Azure users here? Alright, cool. So, this is FIDO2 simplified. Very conscious way how FIDO2 is integrating in Azure, actively developing. So, starting from the user in FIDO2 secret key into their computer. And then, as you could see in the flow diagram and then Windows detects. This is a Windows device. So, it detects the FIDO2 secret key and then it follows up with Azure AD. It set it back as a nonce and then it's configured as a private key and then it set it back as a public key and Azure AD returns as a PRT to enable access to counter-access resources. I'm not going to cover it up as a kind of administrative way how the process is working. If you're wondering how it works dynamically in the levels, you could pitch to me and ask and then. So, how do we enable FIDO2 secret keys in Azure Active Directory? So, first you have a signing into an Azure bottle and then browse it to Azure Active Directory and then go to security section and the authentication method. You could find a method called authentication method policy. Then the other thing you have to do is another method of FIDO2 secret key you have to public it and enable for all the users or any specific groups you are interested in. They enable FIDO2 secret keys and yes, that you could go and set the configuration and what are the other methods available? Obviously, you can use WSO2 Ascario. This also provides Azure FIDO2 secret keys and there are also other options available as well in Ascario. And what would be the future for FIDO2? So, what are the possible research directions and what would be the possible things with FIDO2? So, the first thing is the integration with emerging technologies like internet of things, obviously machine learning, for allowing seamless and secure authentication across wide range of devices. And the second thing is supporting with new forms of biometric authentication right now, there are many reasons to point out in the sessions of pressure recognition fingerprint recognition and eye scanning in your eye and providing even better security and convenience for users. And last, the increased support from hardware and software whether it's making it easier for organizations starting from Microsoft to other organizations and WSO2 and many organizations currently adapting for the truth. So, for implementing the technology access. So, that's it. If you have any questions you would like to ask. So, actually we would love to have a conversation with you guys if you have any questions please speak to us. Thank you. Not so much a question but one reason why I don't enable fingerprint in my devices is because I don't know if you know this but a few years ago we had a situation where the thieves cut off the thumbs right and use it to access I think the R in R or something like that. It sounds like in such an environment fingerprint authentication is a I don't know. I'm still debating this. That's very quick not a question but I'm not a reason where it's someone's eyes are out of discussion to test whether they can that kind of thing has happened. So, should we know how would the administration's work and how can it change the people's mindset to remain remain. So, yeah we just try to better than see how so basically it's not appropriate for like high risk groups where you think that you live in a neighborhood or you interact with people who are willing to hold you down and use your thumbs to force open something So, in that case is it better to just use password? So, what if you are some kind of a top-ranking government official and your boss was kissed by some kind of a hack and then you are exposed and you spend years of your life behind bars? But is it better than having your thumb cut off? I I just have to just answer this So, I I question this is this a really good idea? So, if you evaluate the pros and cons, you have always the solution that has the most of the pros. So, that actually depends on the use case and your environment and your operation and of the business So, it's not like a fantasy you really have to think carefully whether I think this is going to make you more secure or to expose you to other risks I'll stick to my long password I also ask you for your question So, as far as stick security is high we also without the unlimited set we can fill it out to depend on the nice and lair of such a way around the way the different ways it can be Metal gloves And the questions? Thanks very much guys The question about pyro-metrics is an un-solvable one Every single thing any time someone says the solution to the problem is pyro-metrics, all those tips you was at the speaker doesn't understand the problem or why that you're creating a market for stolen thumbs seems like pyro-metrics it's a case specific I might agree with that Thank you so much I'll give you this topic and you'll just do the management What we're just talking about we'll talk a little bit about how the rest of the solution is which is the lines of the security Okay, thank you Thank you Thank you Do I need the microphone? No Can you hear me? I have a voice that can carry Okay, so thank you, Ronald Thank you, for this conference amazing conference Thank you everyone for being here I'm going to talk a bit about as we talk about actually I like to add a lot of today in the title but this is what we're really looking at what we all need to do together to secure the open source software supply chain and when I mean we I mean us as the community open source community so that's what we're going to talk about today I need the microphone Okay Okay So to start with quickly we're talking about open source security and I'm going to take a step back and that's a great slide for an open source conference we have open source, it's trying innovation globally we have enormous numbers that's some of the numbers associated with open source software and it's been an amazing journey when I started 30-something years ago with open source I wasn't son I couldn't believe but now our own corporate system we're replaced by something by Linux but open source is now invasive everywhere over 40 million OSS components available today we have 420 million OSS components that are available by 2026 and 2 trillion packages download so it's just accelerating the amount of open source software another stack, 9 cent of any modern application code based is open source so this is some sort of type and many people don't know this in many ways it surprises all but open source is pervasive which is great open source innovation companies, I work in high quality blockchain, AI we've not developed as fast as they have but we're one of the private organizations open source that's enabled that but the other side of that is that we do have some challenges as we have with any software in terms of vulnerabilities and the software supply chain is under attack so this is the software software for this I've only got 20 minutes to go but we know there are challenges in terms of bad dependencies etc etc so I'm not going to go with that but there are definitely challenges and those have led to some significant challenges significant outages, ransomware etc and in this business you know it's an everyday occurrence and actually the old shell which I'll talk a little about later was a real subtle moment in terms of realising how important open source software is and what we should be doing in terms of securing the software supply chain so right now, why is this important what we're doing is that we are at the same stage so open source flows through software supply chains into every application whether you know it or you don't know it but it's there security is critical so we've developed trillions of dollars I'm not telling you I'm going to make two projects I've mentioned there's trillions of dollars in innovation shared innovations happen we need to protect them share software brings shared responsibility to the community but by the way, our business are winning so there's increases in tax for what you mentioned there's like 700% increases in terms of supply chain and government violence action I'm going to talk specifically about an activity that was driven initially by the White House around public policy and see what they're able to do so to put it in a nutshell what we need to do we need to prove what we need to prove we're going to have hot security which is kind of the standard we're doing things to some kind of system security so we need to have tools to measure the trust wellness code based on objective measures so we need to go to something that's source counter standard that is trust processes that encourage better security practices by developers so how can we get developers involved and tools to process the courage to let them share responsibility with security and add my defaults this should be defaulted in everything that everyone does it should be in how the source is built and used in order to make it secure so lets the organization the event source security foundation comes chat chat and you can say that the next foundation established this organization in 2019 the OpenSSF is a global initiative securing investment resources and expertise to measure and improve the security open source software and we bring together cyber security and open source software building an array of different technology initiatives to help with this course particularly around open source software security and software open specifications and open education resources I'm going to touch on some of those within my next welcome and other products and activities that build cyber security capacity and reduce global cyber security these are our our members we have a very strong support these are our premium members we've actually been going for just over a few years and we've kind of hit in the middle of the pandemic so we have a very strong support from the likes AWS from Google I think taking more than IBM and SNE most of these organizations these are our premium members we have a long list of our general and associate members from many many different of those financial institutions like Coinbase and Dresden Goldman Sachs Scanges who came who are a startup here who are Singapore Scanges and also we have Nanyang a technology university it's one of our associate members as well and it's justified list from talks associates nonprofits and governments these are our core members this is how we look we have a governing board, a technical advisory committee we have different organizations that come off those and we have a bunch of user groups so I'm going to go through very quickly I see you I'll get help go to OpenSSR this is for for our community and we have two other key projects out for Amiga I'm going to talk over that and six more this is our OpenSSR working groups these are all available on GitHub you can record on YouTube all the meetings it's all milleted it's all available we're on the wrong side of the planet sometimes a lot of these have different time zones so what I do and I'm very open to see what else we can do here to assist and do other things within this time zone which is very important and that's what I'm working with so best practices best practices for our school guard MFA to some of the key projects we have a bunch of training funnability disclosures, we've had a great guide it's a coordinated run of related exposure but that's all software projects we've heard a lot from Jay and Alex by Ali then distributed and there was some challenges with the way that came out so we're trying to see how we can make that more clear and explicit and that's with everything to give us improvement identifying security threats security tooling supply chain security Google so that's a framework for doing some supply chain and then we have securing critical projects key projects we identify which are the most critical projects as we know there are millions of projects to get help with all the important ones what we should be looking at and which ones we should be protecting and helping and these are the projects that's 10 minutes and we'll go very, very quickly so this is the AlphaMe project Alpha as I know that we have so we'll be 2 sides Alpha is the top 20 projects to see we're already giving money, help Python, Rust, JQuery, Node.js help build their maturity capacity for compare and response to security issues Amiga, we're working on scanning the other the next 10,000 projects so this is a project originally edited by I think it was Google Microsoft AWS for funding this so that's one project we have a lot of training I've only got a few minutes it's great and by the way we've got to secure off software not just open source software but all software so this is the mindset now to open source software I'd like to take you a little bit into some of the some of the at the end of the year or after the day in terms of rating the events so as you all know in 2021 we had a lock check that broke the internet so it was an issue for everyone so basically the White House called in led by other agencies because open source cloud infrastructure companies so like Google's AWS big banks and openSSF it actually stopped by a foundation and I think the kind of message was this isn't the new order hopefully not to the other it's so as an industry how do we collaborate to help open source software which now mostly possessive so this is a new short place and I think a few minutes we'll talk about three different areas software production might help developers have better tools to build better software second to improve cloud discovery so let's go out and find more tools and mediation and then the third area is the short ecosystem patching and how can we make sure that we know patching so the three kind of goals that we identified happened to the White House and how can we develop the open source security mobilization plan which is the first one yes I have slides more I'm happy to take you through it and we along with our coming war expert community we define these areas about 150 million of funding but we have that we're not a PC we're not the kind of ground one this is the community and these are 10 different areas baseline security software development so education we have education and digital signatures and expanding and talking about yesterday open source security response team and you know have time to go through it all there's a lot of detail I'm happy to go through but we have a lot of work to do we can do that and we have a lot of people working on this we have much this last year at cross section of developers and with federal agencies US we're a viewing plan to get up to a high level and we actually got some funding for the White House and the Paracom to be able to enter Microsoft doing that some of the top projects so I don't have time to do that. Also in Asia Pacific we did this in Germany as well with agencies, I'm looking for a link back up, please link back up on the link to help but please don't take that and also open source communities around the region. So now I'm going to go to a desk, I'll go through this but I think there's another time, here it is again. So the number that you make is a lot of money, it's not really relative to the damage, I'm blocked for J, I think it's a little bit of a medal but just one instance, the Equifax that will work was 700, it was fine for one hour. Actually, this is a huge notice, if you have it, but if you make it, make it in forced action against business that fell, it's a lot of money. So in my last five minutes, I really want to say that we have lots of information, we have channels, this is a breakout hall, we have Microsoft and other organizations talking about updating, we're going to do stuff here, I would also like to do webinars, we've got experts here, so we can talk about this in our time. So maybe there's something that we can add at this part of the world, so it's very open, it's all available to everybody. I'm organizing meetups, we've done a lot here in Singapore already with other our men of scanters, but I'm working with others to do that, we'll probably organize a meetup in around three quarters here, which everyone's welcome to come on to and we'll start kind of engaging, we have a Slack group, I think it seems it's somewhere more already than Tokyo, something Bangalore, and we shall continue doing that, and everyone is welcome to get involved with the volunteer, because people get involved to help support this effort. So as I said, you can visit our home, you can join as a member company, you're a corporate, as an individual, you can just get involved, Slack channels, mailing lists, working groups, we're all welcome, and I'm always available on LinkedIn, Telegram, Slack, 9, We2. I'm everywhere, so we are always welcome to help you, so they will thank you, I think we've probably got like one or a minute left, or is there any questions around that, but that's okay. Yes? I don't know, I think you might keep an eye on the review that went into some analysis, I think they're working on some kind of analysis. If you go down to the west side, you've got the whole review of how they did it, because that's something we can't just put it in the same way, it's not like that, we're an open source community, right? So they have a way to help, everyone wants to help, but I say how they can help the way that they can use the Yeah, any other questions? Yes, okay, so I'm happy to meet Arthur, anytime, and thank you for all of that. Thank you, yeah, thank you. This is fluent here in information, I don't know, just make sure to decide what the other sessions seem is the funding and going into the strong medical exercise, and also feeling that the events have got on work, this is the problem, it's just fellow residents would know or make them talk about work. Oh, we have, it's not just going up to a lot of the videos, it's going to be non-save, non-save languages, it's like 10 teams that are paraphrasing in basic practices of hundreds, so it's a, prior to that, I gave you some questions, I'll tell you a little bit about you, everyone's got the time, keep an eye on that, and we'll see what you're going to do with this. Thank you very much. Thank you, you're very much. Thank you, everybody. Okay, so next up, let's go to the scroll, we have Ayush and I'm Ayush Okta, I work as a health program for the Caltech Institute, which is a non-operative education organization in the USA, we work on a lot of projects, CalXX is one of them, it's an android-based smartphone operating system that forces on the privacy and security. In today's talk, I'll go through how we have implemented operability by security levels, so that a user can choose what kind of security he wants the device to be, just as one talks over, so first of all, go through what security levels are, and what we have implemented in CalXX, and then I will go through the pregnancy function development, so that how someone else can just use those operability and implement this for their own and work-based operating system. Then we'll go through the 1004 and then we'll go through some of the blind features that we are currently working on, so security levels, what are security levels and what do we need them? I think the question with contact of people that is very possible, why do I need to be concerned about the security and why should I even be concerned about the security? The very simple answer to that is that not everyone is familiar with the best and the features that are on their device every time. It takes quite a lot of time to find the very best possible combination of the settings that you may not recognize to be in. Switching between those combinations is quite hard different times. You may want different modifications for your work, you may want different modifications for your personal life, you may want different modifications. The end days, not the end days. They don't depend on what kind of period you are working on. And there is the part of the export opinion, or because not everyone is familiar with what a particular setting is doing. Sorry for that. The export opinion is always helpful because not everyone is from there. What kind of settings are you doing things in the background? You are not quite sure. Like, if that setting is doing what you are thinking, it needs to be in the background. Coming on to security levels. Security levels offer pre-configured security choices. As for the error requirement, they are configured by the export between the developers. They know the best because they are developing those features. Added restrictions from the users' actions and options, depending upon the use case. What you are seeing in the image is from the door browser. They have security levels implemented in the screen there. So, as you can see, there are three modes, standard, safer, and safest. Depending upon the case, the user can really change what security level is imposed on their web browser. Standard mode, everything is enabled. You can then go and go safer, which is also dangerous website features, cost limits, and use functionality. Then they can just go into safer, which is able to use it as a square design. It's much more restricted. Well, there are a lot of other browsers who also use event-ready type of security levels. They are just below such implementation when it comes to these punch forms, however, which will use majority of the times during our daily lives. That's why we actually invented it. And in spite of the door browser, we actually implemented security levels in Kelly's OS. We also invented two security levels, which are standard, safer, and safest. These security levels are shown in the user when they boot their device with Kelly's OS for the very first time. So, it's presented in set-up wizard. The last is a set-up password, your security levels, and everything else. The options that are shown in the list are standard, safer, and safest. All these options are currently in development, which means that we are improving it as soon as the API comes. There are different features you can assure. It's pretty good. But the standard mode is the recommended move for everyone, which means that all it contains are default features, which are popular for a normal everyday user for their everyday lives. Then there is the second level, which is the safer. Safer builds are non-standard, but what it does is that it sets a time on for the Wi-Fi and built-in for starters, which means that they automatically get turned off when they are not being used for a certain period of time, which is also usually configurable. We set it to a certain time on as well, but it won't. Which means that if you leave home with your Wi-Fi enabled and it's time to be used while you are in transit or something, it gets automatically turned off, same case for the built-in. We also set the device to be moved automatically after a certain period of time of non-uses, which means that it utilizes at your possession, where you just work on it somewhere after a certain period of time, and it's likely to be used if you are going to be moved, and then if you only need the ping to unlock your fingerprint based on lock, those kind of things won't work. The safer mode also requires a work profile. Work profiles are a certain encapsulated profiles in which you can install your applications you wish to limit the access to the system, which means that applications which are installed in this work profile will not have access to your data, which contains, let's say, your private images, your other applications, their data. And finally, the safer mode also enforces forward as the focus on VPN, which in the work profile, which means that all the network communication that is being made within that work profile is going over towards or what VPN is encrypted. No one knows what you are doing other than yourself. And finally, the safest mode. Safeest mode does not save you, but it's much restricted. There is also the fact that safest you cannot remove from the device without finding the phone device. What safest does is that it disables USB data signaling, so if your device is going to be seeing if the phone is charged, if no data can be shared from it, there is also the fact that a lot of device issues come when you install applications from unknown sources normally, from the internet somewhere. So, safest mode also restricts the user between strong applications from unknown sources. It also disables the DT button features, which means that no ADV access you do not connect with the PC and just use those different features to extract some of your data from the device. And finally, it also disables JavaScript in Korea. Now, I will go through how we actually want to develop this. This is, this might show a bit amount of code that's Java and continent but it's real simple one. But before going into that, there were some prerequisites that were required to develop. The very first one is Deep Palace, which is a World Profile Manager application. World Profile to deploy it, you usually need a dedicated application with the World Palace, which is a World Profile Manager application. It allows user to provision and manage World Profile locally on their device without connecting to the internet or asking your company to do it manually. It is very simple and you can put basically a material and put it through your coffee which is the latest primitive guidelines from the Google for the Android. It is also compatible with both the ASP and cradle build system which means that any developer can just simply pull in your repository and start working with it through the Android screen or any idea of their choices. Next is the third options. As I mentioned earlier in the safest mode, the debugging is just like a stable. And if you want Android to last, you might notice that there are quite a lot of useful features in the debugging options, which are not catalytic to give you a device debugging. Example would be an OEM of talking to which you can remove the operating system and install it on the device and replace it with a custom OS. The other one would be taking bugger code so that you can remove to the developer which apps are crashing, which apps are not working and whatever issues you are facing on the device. There is they also need Wi-Fi and non-processing Mac optimization so that you can change the Mac address whenever it's connected for Wi-Fi and much more. Considering the dependencies were getting disabled in the safest mode, what we did was wear some of this important option outside of the developer options so that even if it is dependent which is not disabled, a user can use those features without any issues. So what we did was we added a new screen for other options within the settings application this contains those much frequently used for application options. These options also still maintain the security requirements for certain switches such as taking bugger code which is a surefire way to collect what's going on your device and you may not want anyone to access it so it still asks you your password whenever you want to collect a bugger code. The same goes for the OEM unlocking because the operating system can change so whenever it's turning it's on it still asks your password before letting you do this. So now going to development how this was done whenever a user puts a device for the first time they go into setup result setup result that asks the user what kind of profile level they want the device to be in that the secure setup result probably gets this localized which is a work profile manager application work profile values and also all the settings that are that you want to apply to the device that is a nice function before that this is a little bit worse with the android studio and any idea of your choice so that any developer can access it alone change their what settings they want their access to be in and justify a good work then finally once the device is finished finished whatever it wants to do maybe you want to open another application it will let you do the device you can do that it simply guides users back to the launcher to which they then start using the device now looking into the code this is the code in the setup result we generally refer this as a colleague load or security levels or here under jump string we use but there are this is a string that contains three values from 0 to 1 this one is security load the security load simply puts a value let's say that users like safer so it will go to 1 then it will forward this as an intent to the device it turns out a way to reach an application or anyone can communicate with another application so it's a security one word so it basically fires another intent which is actual position managed device from the process source it that's the component name which is the palace then they can users and so it offers them put more settings in the extra provisioning bundle then if they want they can skip the application screen which will simply smooth animation that can be shown by the value system processing in the background now when values is most it is not created method gets fired here values intercepts the intent that was sent by the set up with them there are three modes that can at least insert which is action get motion mode it is also so this system asks if what provisioning mode the device is going to be in Alice simply tells that whatever set up with that set up it simply gives a possible extra from the set up with that screen turned and it simply puts it's act so Alice does not does anything special when the provisioning mode is squared and there is the action admin policy compliance and action provision successful so there can be two things one set up with that finishes it launches Palace then action admin policy compliance part is called in that part we can run whatever port we want to run after the early set up with others finished so what we do is take the whole ever complete provisioning method in which we set up various restrictions such as launching or what the problem is on VPN we restrict the installation of applications and other things and all the action provisioning successful that's all different cases we simply for that method again to set different settings as required for the cases now I'll just go to the provide features usually we are we are working on at the moment so fighting for it Android only allows one work profile or device which means that if there's already a work profile you cannot deploy more work profiles this is the limitation in the protocol source project on which it's based on so we are also working on implementing multiple work profiles so that my user can deploy more profiles as per their requirement they can deploy a work profile for personal users they can deploy a work profile for work VPN no VPN and use cases they want because if your work profile allows you to just turn on the entire set of applications at once this is quite useful for users who have different use cases for different kinds of time there's also the fact that you can use different mediums in the different profiles you can use separate applications you can separate password the password is whatever you wish for that there is the voice updateer that we are already working on in voice updateer it simply streams the updates from the KXOS service to your KXOS devices there is no download part so there is no requirement for spaces they are using the update engine APIs from the movie so since it just simply streams out updates it's also returned coffee and maternity and it's really simple there are just simply two streams one was this whole one the screen and the second one is the settings part which allows you to change the update channel on complicated notifications and other settings as required again this is also compatible with both ASP and curtainware system which means that any developer tends to be blown and start working with it as they want there are also planning to fetch the system updates from one dawn so that for the moment better privacy and security then the other features that are small but we are also working on them are examples such as data helpline links so we want to by default open the helpline links within the tor browser so that no one knows what helpline you contacted or queried for using the data we also want to allow users to check whenever your device comes online it ends a service server to know that internet is working right so we also want to interact of server selection for this connectivity check so that you can use whatever server you wish for you think it's much better but suited for your purposes for the service action we also consider we also replace the proprietary services with the micro G for medical magic with you we are also planning to move this traffic over top there is another feature that we are working on is resetting the device after a number of field events so that means that you somebody is trying to break into your device and that there is also a drop four or five times it automatically gets reset we are also discussing more features on our carry-through escape lab issues and that's all that's all from my side if you wish to do more or join community so it's a category of code and that's all from my side thank you my colleague we will ask you some questions if you have thank you very much I know that just a guy who they have will be apply what you're thinking to as a matter of fact questions probably as always the people spinning questions by the if also training to one talking about well no questions in that case I have a question I think about if I install the device at one level I will change my mind and what will go I think what's versus what consequences so we had a long discussion about this the point some of the points explained in the safest level where that USB access is to say well that you're not able to install an app from an unknown source the decision was made to like do that at when the device is first set up because if you just allow doing it any time maybe it could turn on maybe you turn it on or something then there's no point of that feature so for the same purposes at least at this moment you'd have to like set up the device and can be working you are able to yeah why but you're able to back up your data and you're able to restore the backup okay but the whole point was that we don't allow to easily go to like a higher level because if you already have unknown effectively installed let's say you already have some add down if you can already and then you want to go to see if it's what do we do with that app so we just get rid of it that it's a bad experience or do we keep it and that that passes the security feature so that's why we decided to keep it simple to just start from a clean slate but this is not the progress we'll keep going so that's cool but my concern was the authentication to go or the security that we have we don't want it once yeah okay I can go for that I can also can't raise this is that okay you can put put out quite a bit of what's up in the sense it's all about it's that's anything else before I have that happens good all right thank you again thank you next up we have we have we have all speakers at home we have three that's no big question we have 10 minutes okay we can make speakers 10 minutes from now and are and we're we're we're we're we're we're we're we're we're we're we're we're we're we're we're we're we're we're we're are sorry yes we'd have 10 minutes good afternoon and welcome back to the new security trip we have are there are Czech speakers before lunch uh dolings are moved público yes speaking and second Sunday for me again uh Grand Prix Dark Loans components for other components. This looks like the sales. Yes, yes. Okay. Thank you. Hello, everyone. I'm Chen Kai-shen. We have another speaker, Li Qingcai. We are so glad to have this talk with you in this event. And we are from NCCC, Taiwan. So today I'll talk to you about the Gen3 Data Accountants deployment for HVC Cloud. So this is our day. We have our first one is we will get some instruction on our labs and the NCCC. The second one we will conduct Gen3. And the last one is Gen3 deployment in the NCCC Cloud resource. So NCCC, the full name is National Center for Performance Computing. So we are one of eight national-level research laboratory under our labs. We are Taiwan's only national-level supercomputing centers. So we support academia and the industrial with hardwares and software, advanced research and patient development, including networking and professional trainings. So in the last 10 years, we built up our main three supercomputing tools in Taiwan. One, two, and three. And we started to serve our cloud platform NCCC since 2019. And we also reprinted in Taiwan. In TEWCC platform, we provide several cloud services in TEWCC. For example, computing and storage on demand, big data analysis, and containerized computing environment, and so on. So based on HVCC and cloud platform, HVCC by a team provides several cloud services for websites, medical, and culture. So we start to survey Gen3 search platform since 2022. So that's why we involved this kind of project. So I will give you some Gen3 introductions. Gen3 is a data platform for building data commons and data ecosystems. It consists of several open-source software services. It's about healthy data ecosystem by enabling the interaction and creating the cloud-based data resource. It's powered by CTDS from the University of Chicago. It uses a patched license version tool. So in Gen3, it has several features. It can help the health data ecosystem. For example, it has data photos, data comments, it's for data repositories. And in its platform, it provides cloud computing, large-scale processing, and some workspace, for example, to build notebook, my son-in-law. Also, in Gen3 architecture, it includes database, search engine, and the storage, and the computing. So I have short videos. We will be demo some of the industry environment and it will be easy for you to understand. The Gen3 data commons platform allows researchers to manage, analyze, harmonize, and share large biomedical data sets to accelerate their research. In this video, we will introduce some of the technology that powers the Gen3 data commons platform. Gen3 is not just a data commons software stack. It offers unique features specially suited to the next frontier of data science, data ecosystems, comprised of multiple, interoperable data commons. Fence provides authentication and authorization. It allows users to view controlled access data. It's a very short demo video that you can buy on YouTube. So I have a very quick list of features in the site. For example, you can design your data and the data schema in Gen3 system. So you can own your data models. And the user can use the client data unload to do the data submission into the Gen3 platform. And it provides the data dashboard and the sharing by the data field. So it will be easier to index the data or use what the user wants to do. And it also provides a workspace to analyze your data. It also provides an ADM key to support the user or less for API to use the Gen3 platform systems. So we'll talk about the third part. We want to talk about Gen3 deployment in the NCHC cloud resource. In this slide, we give you some conversion between two native Gen3 deployments. The first one is cloud deployment. So AWS only. And second one is double-composed version. In cloud deployment, it will be easy to scale and support fully function for Gen3. But it needs more resource requirement and complex deployment procedures. And they also highly depend on AWS service. So it did not support a new deployment report in GCP Azure. It's kind of a cloud platform. In double-composed, it will be easy to deployment. So it needs less resource requirement. So it's also available for single-order. But it's not longer up to date and it has limitation functions of the Gen3. So our goal is to provide a service, a controlable deployment procedure on the NCHC cloud resource. The second one is we want to integrate an outsized H8 high-ability service for a simple H8 DB or advanced search cluster. The third one is we want to enhance double-composed version for testing, training, usage. So we talked about, next one we talked about double-composed enhancement. So in this slide, we can see the Gen3 original Bible service dependence. So you can see a sign of the Bible service has a duplicate dependency. It will cause this service to become unstable. So we want to fix it. The third point is we want to separate some of the microservices from outside so we can use a powerful resource on the external. The third one, we want to add some new functions into the Gen3 cloud system. It will be easy for us to maintain it. So for double-composed version, we do some improvements. For example, we update a new image version and we simplify the service dependence and calculate. This will make the service style become more stable. And we also improve microservice style procedures. And we add some new plugin, for example, DGM4 and Manifest service for database management and data tech and the bunch. We also separate the database and index service to use an external service. We also make a TWCC VCS snapshot. It will be easy to use in the NCHSC cloud platform. So for current status, for double-composed version, we have the NCHSC testbed built in the NCHSC TWCC VCS VCS universal computing service. We integrate the object's storage using the TWCC cost. It's similar with S3. And we have the NCHSC tapper in the repository. You can see the repository link. So there are two ways to use the NCHSC Gen3 tapper resource. The first one is you can use the native deployment from GitHub. The second one is you can use the plugin very similar to the service on demand by using the TWCC snapshot. So this is a double-composed version we do for the Gen3 enhance. The second part, we will talk about Gen3 Kubernetes deployment. Hello, this is the Gen3. And I will continue to introduce the Gen3 Kubernetes deployment. So the Gen3 deployment they support big-stream cloud service in Google Cloud, in Europe. And they also support on-stack. But next year, we try to set up Gen3. We are only making work on database. And follow the standard following the document and the standard steps like the document. First one, we should prepare the database service like the database and the machine and then work and also other like the object storage. And then we prepare the patient of the list is useful for the management of the Gen3 platform. And install the Gen3 command and based on this command we can deploy the Kubernetes and then there are some terrible script already here so we just run it and the Kubernetes should work well and then we push the Gen3 service and then install the service and they work well with the Kubernetes. Since then we will try to move the kind of service from database to our cloud service like which is based on over-stack and other over-source. Why we do that? Because some data providers they very care their subject data and they do not allow that kind of data in the public area like the public cloud. So we have to build a private cloud and we try to understand the architecture and moving from public to private. So we check all microservice at the related open source and the service like from post-private TV in-desk research and after storage that kind of service is open source. So it's easy to migrate from database to any private cloud and we also have a making list to what to request the service and in time in our center we have cloud service high pre-killing and actually it's based on the open source over-stack and we unfortunately we do not have the ideas but we can create a post-private TV by ourselves and we also have some like in-desk search and we also use the keycard which is very important component to support the transportation because we should prepare the data as well and we still have some service cannot make some party we cannot find open source solution but some we know the solution but we do not have time to page the code. We still make it work on our infrastructure so we can run G3 service in our country in my center we have some page and related code you can see here we have what we push we contribute to the code and save it to GitHub so we can access it and currently in my center we have a same provider so we use keycard to change the different protocol for authentication this is the link contribution this is the first contribution the same contribution is we have a change to link the data so follow the center process the user just open the container select file and the file is already in the container automatically the user don't need to upload or download the file and keep the data in the container inside so the user can choose many kind of different container service and currently some people some research can do their research well this was our contribution and thank you we have a boost so if you have an interesting risk here, thank you thank you very much thank you I was on the spectrum but it probably provides a little bit of input to the stuff that I do it's easy to move that into an open state so this is an impressive work any questions from the room? No, excellent we are now going to play for lunch two resumes at about 1.30 p.m. please be in your room for two minutes prior so that you are ready to start watching and find out more time thank you very much